Denis Rizaev [Mon, 24 May 2010 13:06:36 +0000 (15:06 +0200)]
fix initial run level
I did a little investigation about runlevels and i think we can assume
runlevels 2-5 as normal. So, we can check if system was in runlevel 2-5
and proc count is 1 and now we are in 0/6.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by: Denis Rizaev <Denis.Rizaev@trueoffice.ru>
Daniel Lezcano [Wed, 12 May 2010 21:44:28 +0000 (23:44 +0200)]
add a configure option to set a rootfs mount point
Add a configure option to set a mount point path when using a rootfs,
that will replace the actual behavior which creates uneeded /tmp/lxc**
directories.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Ferenc Wagner [Mon, 10 May 2010 09:50:10 +0000 (11:50 +0200)]
no need to use a temporary directory for pivoting
Ferenc Wagner <wferi@niif.hu> writes:
> Daniel Lezcano <dlezcano@fr.ibm.com> writes:
>
>> Ferenc Wagner wrote:
>>
>>> Daniel Lezcano <daniel.lezcano@free.fr> writes:
>>>
>>>> Ferenc Wagner wrote:
>>>>
>>>>> While playing with lxc-start, I noticed that /tmp is infested by
>>>>> empty lxc-r* directories: [...] Ok, this name comes from lxc-rootfs
>>>>> in conf.c:setup_rootfs. After setup_rootfs_pivot_root returns, the
>>>>> original /tmp is not available anymore, so rmdir(tmpname) at the
>>>>> bottom of setup_rootfs can't achieve much. Why is this temporary
>>>>> name needed anyway? Is pivoting impossible without it?
>>>>
>>>> That was put in place with chroot, before pivot_root, so the distro's
>>>> scripts can remount their '/' without failing.
>>>>
>>>> Now we have pivot_root, I suppose we can change that to something cleaner...
>>>
>>> Like simply nuking it? Shall I send a patch?
>>
>> Sure, if we can kill it, I will be glad to take your patch :)
>
> I can't see any reason why lxc-start couldn't do without that temporary
> recursive bind mount of the original root. If neither do you, I'll
> patch it out and see if it still flies.
For my purposes the patch below works fine. I only run applications,
though, not full systems, so wider testing is definitely needed.
Guillaume Zitta [Mon, 10 May 2010 09:50:10 +0000 (11:50 +0200)]
make lxc-checkconfig more explicit
With a friend, we installed lxc on his server.
We spend 1 hour on the kernel config because we didn't knew :
- that lxc-checkconfig is a bash script and it can check a config before
running it
- which kernel config item whas not good
- that CONFIG_SECURITY_FILE_CAPABILITIES is obsolete since 2.6.33
So, here is a patch for lxc-checkconfig that could save time for lxc newbies
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Modified-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: Guillaume Zitta <lxc@zitta.fr>
Daniel Lezcano [Mon, 10 May 2010 09:50:09 +0000 (11:50 +0200)]
update INSTALL file
"lxc configure does not exist. You need to run ./autogen.sh to create it.
I think it needs to either be documented in INSTALL or you provide ./configure"
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Reported-by: Jamal Hadi Salim <hadi@cyberus.ca>
Daniel Lezcano [Mon, 10 May 2010 09:50:09 +0000 (11:50 +0200)]
fix pivot_root temporary directory
First of all, when trying to start a container in a read-only root
lxc-start complains:
lxc-start: Read-only file system - can't make temporary mountpoint
This is in conf.c:setup_rootfs_pivot_root() function. That function
uses optional parameter "lxc.pivotdir", or creates (and later removes)
a temporary directory for pivot_root. Obviously there's no way to
create a directory in a read-only filesystem.
But lxc.pivotdir does not work either. In the function mentioned above
it is used with leading dot (eg. if I specify "lxc.pivotdir=pivot" in
the config file the pivot_root() syscall will be made to ".pivot" with
leading dot, not to "pivot"), but later on it is used without that dot,
and fails:
lxc-start: No such file or directory - failed to open /pivot/proc/mounts
lxc-start: No such file or directory - failed to read or parse mount list '/pivot/proc/mounts'
lxc-start: failed to pivot_root to '/stage/t'
(that's with "lxc.pivotdir = pivot" in the config file). After symlinking
pivot to .pivot it still fails:
lxc-start: Device or resource busy - could not unmount old rootfs
lxc-start: failed to pivot_root to '/stage/t'
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Daniel Lezcano [Mon, 10 May 2010 09:50:09 +0000 (11:50 +0200)]
Fix console infinite loop
When the client console exits, the mainloop goes in an infinite loop
as the handler is not removed and we are notified from the disconnection
indefinitely.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 7 May 2010 12:37:05 +0000 (14:37 +0200)]
do not exit mainloop when child is stopped
When the init container is stopped, we don't check this condition
and we assume the child exited and we wait indefinitely for the child
to exit while this one is stopped.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Michel Normand [Thu, 29 Apr 2010 08:03:59 +0000 (10:03 +0200)]
lxc: remove perror call in nl.c (V2)
There is only one such perror call, so remove it in nl.c
In this same patch, verify that all functions of nl.c and network.c
are reporting a -errno value in case of error;
value that is reported in lxc log by the callers in conf.c
Signed-off-by: Michel Normand <normand@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
lxc-kill send a signal to the process 1 of the container.
If this command is used on an application container ran by
lxc-execute, the lxc-init will receive the signal and will forward it to
the process 2 which is the command specified in the command line.
Signed-off-by: Greg Kurz <gkurz@fr.ibm.com> Signed-off-by: Michel Normand <normand@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 8 Apr 2010 07:44:23 +0000 (09:44 +0200)]
change to the same directory when attaching
This patch will try to change the default "/" directory to the
directory we were before attaching. In order to work correctly,
the path has to exist in the container, that makes sense with a
shared file system without rootfs.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 8 Apr 2010 07:44:23 +0000 (09:44 +0200)]
restart the container at reboot
When the reboot is detected, reboot the container.
That needs to set all file descriptor opened by lxc-start
to be flagged with the close-on-exec flag, otherwise when
re-execing ourself, we inherit our own fd.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 8 Apr 2010 07:44:23 +0000 (09:44 +0200)]
count the number of tasks in the container
This patch adds a function to count the number of tasks in the
container. The result is not reliable as it may change with a fork
or an exit, but in some cases, for example, there is only one task, or
the container is frozen, the result is accurate.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Michel Normand [Fri, 2 Apr 2010 16:45:47 +0000 (18:45 +0200)]
lxc: add --statefile opt to lxc-checkpoint/restart
based on patch from: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
but also:
* remove the deprecated --directory one.
* change liblxc api of checkpoint/restart to use fd and not string.
* explicitely report error messages for the checkpoint/restart stub functions.
Signed-off-by: Michel Normand <normand@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Michel Normand [Mon, 22 Mar 2010 10:08:34 +0000 (11:08 +0100)]
do not use logfile in lxc_init (V2)
The log file in lxc-init is quite useless as the code is trivial.
Signed-off-by: Michel Normand <normand@fr.ibm.com> Signed-off-by: Cedric Le Goater <clg@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Mon, 22 Mar 2010 10:08:34 +0000 (11:08 +0100)]
fix lxc-attach returned error
When we try to attach to a container belonging to another user than us,
the command fails as expected but the return code is wrong, so we have
an "unknown error" instead of "permission denied".
Daniel Lezcano [Thu, 25 Feb 2010 09:24:13 +0000 (10:24 +0100)]
fix network devices cleanup on error
Delete the network devices when an error occurs before they are moved
to the network namespace (network namespace destruction triggers the
network devices deletion). Otherwise they stay in the system.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Wed, 24 Feb 2010 15:24:55 +0000 (16:24 +0100)]
add missing cgroup include
Fix the warning:
start.c: In function ‘lxc_fini’:
start.c:250: warning: implicit declaration of function ‘lxc_unlink_nsgroup’
start.c: In function ‘lxc_spawn’:
start.c:380: warning: implicit declaration of function ‘lxc_rename_nsgroup’
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Wed, 24 Feb 2010 09:57:43 +0000 (10:57 +0100)]
allocate a console to be proxied
The actual behaviour of the console is messy as:
* it relies on a heuristic (tty or not, rootfs or not, etc ...)
* the container init stole the tty and we lose the control
The following patch:
* allocates a tty
* maps this tty to the container console
* proxy the io from the console to the file specified in the configuration
lxc.console=<file>
That allows to specify a file, a fifo, a $(tty), and can be extended with an
uri like file://mypath, net://1.2.3.4:1234, etc ...
That solves the problem with the heuristic and the container does no longer stole
our current tty.
Note by default, the console output will go to a blackhole if no configuration is
specified making the container showing nothing.
In order to access the console from the tty, use
lxc-start -n foo -s lxc.console=$(tty)
I propose the make the container to daemonize by default now.
I tried the following:
in a shell:
touch /var/lib/lxc/foo/console
tail --retry -f /var/lib/lxc/foo/console
in another shell:
lxc-start -n foo -s lxc.console=/var/lib/lxc/foo/console
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Fri, 22 Jan 2010 10:29:10 +0000 (11:29 +0100)]
unmount failure is not fatal
There are several cases where the system can no longer access a mount
point or a mount point configuration makes the algorithm bogus.
For example, we mount something and then we chroot, the mount information
will give an unaccessible path and the container won't be able to start
because this mount point will be unaccessible. But if it's the case, then
we can just warn and continue running the container.
Another case is the path to a mount point is not accessible because there
is another mount point on top of it hiding the mount point. So the umount
will fail and the container won't start.
Easy to reproduce:
mkdir -p /tmp/dir1/dir2
mount -t tmpfs tmpfs /tmp/dir1/dir2
mount -t tmpfs tmpfs /tmp/dir1
So can we just ignore the error when unmounting and continue to the list again
and again until it shrinks.
At the end, we just display the list of the unmounted points.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Daniel Lezcano [Thu, 21 Jan 2010 13:48:42 +0000 (14:48 +0100)]
drop capabilities
Hello everyone!
I've written a patch which adds a new config keyword
'lxc.cap.drop'. This keyword allows to specify capabilities which are
dropped before executing the container binary.
Reworked-by: Daniel Lezcano <daniel.lezcano@free.fr> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by: Michael Holzt <lxc@my.fqdn.org> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Taisuke Yamada [Mon, 18 Jan 2010 22:08:12 +0000 (23:08 +0100)]
Added -e to lxc-console to change command character (defaults to '^a')
I noticed lxc-console uses '^a' as command-mode prefix to
escape out of console session, so created a patch to make it
configurable. With this, you can do
lxc-console -n foo -e ^t
and exit the session with 'Ctrl+t q'.
For emacs-binding addicts (like me), it's always nice to
let shell handle '^a' as 'beginning-of-line' command...
Signed-off-by: Taisuke Yamada <tai@rakugaki.org> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Clement Calmels [Mon, 18 Jan 2010 22:08:12 +0000 (23:08 +0100)]
use getline instead of fgets
The getline function allocate the needed memory. Fix buffer can lead
to 'hard to find' bug. I don't test the pivot_root part but the other
parts are ok.
Signed-off-by: Clement Calmels <clement.calmels@fr.ibm.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>